Cisco Systems ASA Services Module Webcam User Manual


 
18-12
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter 18 Configuring the TLS Proxy for Encrypted Voice Inspection
CTL Provider
To create a new key pair, click New. The Add Key Pair dialog box opens. See the “Configuring
Identity Certificates Authentication” section on page 40-24 in the general operations configuration
guide for details about the Key Pair fields.
Step 4 In the Security Algorithms area, specify the available and active algorithms to be announced or matched
during the TLS handshake.
Available Algorithms—Lists the available algorithms to be announced or matched during the TLS
handshake: des-sha1, 3des-sha1, aes128-sha1, aes256-sha1, and null-sha1.
Add—Adds the selected algorithm to the active list.
Remove—Removes the selected algorithm from the active list.
Active Algorithms—Lists the active algorithms to be announced or matched during the TLS
handshake: des-sha1, 3des-sha1, aes128-sha1, aes256-sha1, and null-sha1. For client proxy (acting
as a TLS client to the server), the user-defined algorithms replace the original ones from the hello
message for asymmetric encryption method between the two TLS legs. For example, the leg between
the proxy and Call Manager may be NULL cipher to offload the Call Manager.
Move Up—Moves an algorithm up in the list.
Move Down—Moves an algorithm down in the list.
Step 5 Click Next.
The Add TLS Proxy Instance Wizard – Other Steps dialog box opens. The Other Steps dialog box
provides instructions on the steps to complete outside the ASDM to make the TLS Proxy fully functional
(see Add TLS Proxy Instance Wizard – Other Steps, page 18-12).
Add TLS Proxy Instance Wizard – Other Steps
Note This feature is not supported for the Adaptive Security Appliance version 8.1.2.
The last dialog box of the Add TLS Proxy Instance Wizard specifies the additional steps required to
make TLS Proxy fully functional. In particular, you need to perform the following tasks to complete the
TLS Proxy configuration:
Export the local CA certificate or LDC Issuer and install them on the original TLS server.
To export the LDC Issuer, go to Configuration > Firewall > Advanced > Certificate Management >
Identity Certificates > Export. See the “Exporting an Identity Certificate” section on page 40-27 in
the general operations configuration guide.
For the TLS Proxy, enable Skinny and SIP inspection between the TLS server and TLS clients. See
SIP Inspection, page 12-20 and Skinny (SCCP) Inspection, page 12-32. When you are configuring
the TLS Proxy for Presence Federation (which uses CUP), you only enable SIP inspection because
the feature supports only the SIP protocol.
For the TLS Proxy for CUMA, enable MMP inspection.
When using the internal Certificate Authority of the ASA to sign the LDC Issuer for TLS clients,
perform the following:
Use the Cisco CTL Client to add the server proxy certificate to the CTL file and install the CTL
file on the ASA.